On Tue, Jul 30, 2013 at 3:49 PM, Rui Pedro Caldeira
<rpcaldeira@xxxxxxxxxxx> wrote:
> Hello, I'm using Wireshark to read from a pipe and i'm using the native IEEE
> 802.15.4 dissector, but I'm having trouble feeding Wireshark the proper
> bytes. I've tried to search but I can't find the right sequence of bytes the
> dissector is waiting for.
>
> Can anyone help me? Thanks in advance.
Not sure if that's exactly what you are asking for, but:
802.15.4 dissector does following in proto_reg_handoff_ieee802154:
dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4,
ieee802154_handle);
dissector_add_uint("wtap_encap",
WTAP_ENCAP_IEEE802_15_4_NONASK_PHY, ieee802154_nonask_phy_handle);
dissector_add_uint("wtap_encap", WTAP_ENCAP_IEEE802_15_4_NOFCS,
ieee802154_nofcs_handle);
dissector_add_uint("sll.ltype", LINUX_SLL_P_IEEE802154, ieee802154_handle);
If you look into wiretap/pcap-common.c you will find that following
linktypes are assigned for the WTAP_ENCAP_ defines:
/* IEEE 802.15.4 Wireless PAN */
{ 195, WTAP_ENCAP_IEEE802_15_4 },
...
/* IEEE 802.15.4 Wireless PAN non-ASK PHY */
{ 215, WTAP_ENCAP_IEEE802_15_4_NONASK_PHY },
...
/* IEEE 802.15.4 Wireless PAN no fcs */
{ 230, WTAP_ENCAP_IEEE802_15_4_NOFCS },
Now, get over to the tcpdump linktypes [1] and check the descriptions
for 195, 215, 230. Choose the one that is closest match to your data
and then set that number as linktype in pcap header.
[1] http://www.tcpdump.org/linktypes.html